activerecord-safer-lookup-query 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9a87fedc5a45149512589bb8be278f6d11415ed04b1c6af58df82360891491f9
+  data.tar.gz: 0f3e30a871a7b709571dd986fc2e85d14017d787ee8e85f3152b142bbd649e07
+SHA512:
+  metadata.gz: b263e41022b7bfcd9c659311057ae4d8b6a977535ffb11adfd1d1ebc1c55bb25f45381c06a48fbc9352ab1ae94b7c2c205c55d91b3c902d942003d44eb408b6c
+  data.tar.gz: 44da164571e78076467b80b50c729edbffc0d6a3920c3af6f95fb3375d37bed8e13a2c22e659bcf8262e2c306226dfb4e4c17b27f3a29e4a36e397f3ebddbb2c

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 developer
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,76 @@
+# activerecord-safer-lookup-query
+
+`activerecord-safer-lookup-query` is a small static checker for Rails applications. It
+looks for class-level ActiveRecord lookups that may bypass tenant, organization,
+or user scopes.
+
+This is an audit tool, not a proof engine. Findings should be reviewed by a
+human before treating them as vulnerabilities.
+
+## Usage
+
+Run it from the target Rails repository:
+
+```sh
+exe/activerecord-safer-lookup-query
+exe/activerecord-safer-lookup-query app/graphql app/controllers
+exe/activerecord-safer-lookup-query --root /path/to/rails-app app/graphql
+exe/activerecord-safer-lookup-query --fail-level HIGH app/graphql
+exe/activerecord-safer-lookup-query --format json app/controllers/organizations
+exe/activerecord-safer-lookup-query --whitelist config/safer-query-whitelist.yml app/graphql
+```
+
+When installed as a gem, run:
+
+```sh
+gem install activerecord-safer-lookup-query
+activerecord-safer-lookup-query app/graphql app/controllers
+```
+
+## Rules
+
+- `GLOBAL_FIND_EXTERNAL_INPUT`: class-level `find` / `find_by` with `params`,
+  GraphQL `input`, `args`, `session`, cookies, headers, or request data.
+- `GLOBAL_FIND_ID_VARIABLE`: class-level `find` with a local `id`, `*_id`,
+  `*_ids`, `*_uuid`, `*_slug`, or `*_code` variable.
+- `GLOBAL_WHERE_EXTERNAL_IDS`: class-level `where(id: ...)` with external input.
+- `GLOBAL_NATURAL_KEY_LOOKUP`: class-level lookup by `email`, `uid`, `issuer`,
+  `code`, `subdomain`, `slug`, `token`, or similar natural keys.
+- `UNSCOPED_DESTRUCTIVE_IDS`: destructive operations driven by external/global
+  IDs.
+- `WITHOUT_TENANT_BOUNDARY`: boundary code that calls
+  `ActsAsTenant.without_tenant`.
+- `DRAFT_COURSE_EXPOSURE`: draft/closed course scopes in public-ish Rails
+  boundaries.
+
+Suppress a known-safe finding with:
+
+```ruby
+Course.find(params[:id]) # active_record_safer_lookup_query: ignore
+```
+
+Suppress resolved findings in `.activerecord-safer-lookup-query.yml`:
+
+```yml
+whitelist:
+  - path: app/graphql/mutations/active_user/select_curriculum.rb
+    rule: GLOBAL_FIND_EXTERNAL_INPUT
+    source: Curriculum.find
+    reason: The caller already scopes available curriculum IDs.
+```
+
+Whitelist entries match all fields that are present. `path`, `rule`, and
+`severity` support glob patterns, `line` can be a number or list of numbers,
+and `source` matches a source-code fragment. `reason` is documentation-only and
+does not affect matching.
+
+## Development
+
+```sh
+bundle install
+bundle exec rake
+```
+
+## License
+
+MIT.

data/exe/activerecord-safer-lookup-query

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+begin
+  require 'active_record_safer_lookup_query'
+rescue LoadError
+  require_relative '../lib/active_record_safer_lookup_query'
+end
+
+exit ActiveRecordSaferLookupQuery::Cli.run(ARGV)

data/lib/active_record_safer_lookup_query/checker.rb

@@ -0,0 +1,492 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'optparse'
+require 'pathname'
+require 'yaml'
+
+module ActiveRecordSaferLookupQuery
+  class Checker
+    DEFAULT_PATHS = %w[
+      app/controllers
+      app/graphql
+      app/api
+      app/forms
+      app/services
+    ].freeze
+
+    DEFAULT_EXCLUDE_PATTERNS = [
+      %r{\Aapp/controllers/debug/}
+    ].freeze
+
+    DEFAULT_WHITELIST_FILES = %w[
+      .activerecord-safer-lookup-query.yml
+      .activerecord-safer-lookup-query.yaml
+    ].freeze
+
+    IGNORE_MARKER = /(?:active_record_safer_lookup_query|activerecord_safer_query|global_find_audit|tenant_scope_audit):\s*ignore/
+    SEVERITY_RANK = {
+      'LOW' => 1,
+      'MEDIUM' => 2,
+      'HIGH' => 3
+    }.freeze
+
+    CONST_RECEIVER = /(?:::)?[A-Z][A-Za-z0-9_]*(?:::[A-Z][A-Za-z0-9_]*)*/
+    PLAIN_SCOPE_CHAIN = /(?:\.[a-z_][A-Za-z0-9_!?]*)*/
+    MODEL_CHAIN = /#{CONST_RECEIVER}#{PLAIN_SCOPE_CHAIN}/
+    EXTERNAL_SOURCE = /(?:params\s*(?:\[|\.|\.dig)|input\s*(?:\[|\.|\.dig)|args\s*(?:\[|\.|\.dig)|context\s*\[|session\s*\[|cookies\s*\[|request\.|headers\s*\[)/
+    RISKY_ID_VARIABLE = /(?:\bid\b|[a-z][a-z0-9_]*(?:_id|_ids|_uuid|_slug|_code)\b)/
+    NATURAL_KEY = /(?:email|uid|issuer|code|subdomain|slug|token|account|client_id|external_id)/
+    NATURAL_KEY_VALUE = /(?:#{EXTERNAL_SOURCE}|row\b|metadata\b|attributes_hash\b|saml_setting\b|response\b|payload\b|csv\b|id_token\b|token\b|issuer\b|code\b|email\b|uid\b)/
+    FIND_METHOD = /(?:find|find_by!?|find_or_initialize_by!?|find_or_create_by!?|create_or_find_by!?)/
+    DESTRUCTIVE_METHOD = /(?:destroy_all|delete_all|update_all|delete|destroy)\b/
+
+    DIRECT_FIND_START = /\b#{MODEL_CHAIN}\.(?:friendly\.)?#{FIND_METHOD}\b/
+    DIRECT_FIND_EXTERNAL_INPUT = /\b#{MODEL_CHAIN}\.(?:friendly\.)?#{FIND_METHOD}\s*\([^)]*#{EXTERNAL_SOURCE}/
+    DIRECT_FIND_ID_START = /\b#{MODEL_CHAIN}\.(?:friendly\.)?find\b/
+    DIRECT_FIND_ID_VARIABLE = /\b#{MODEL_CHAIN}\.(?:friendly\.)?find\s*\(\s*#{RISKY_ID_VARIABLE}\s*\)/
+    WHERE_START = /\b#{MODEL_CHAIN}\.where\b/
+    WHERE_CHAIN_START = /\A\.where\b/
+    WHERE_EXTERNAL_IDS = /\b#{MODEL_CHAIN}\.where\s*\([^)]*(?:\bid\b|[a-z_]+_id):\s*[^)]*#{EXTERNAL_SOURCE}/
+    NATURAL_KEY_LOOKUP_START = /\b#{MODEL_CHAIN}\.(?:find_by!?|find_or_initialize_by!?|find_or_create_by!?|create_or_find_by!?)\b/
+    NATURAL_KEY_LOOKUP = /\b#{MODEL_CHAIN}\.(?:find_by!?|find_or_initialize_by!?|find_or_create_by!?|create_or_find_by!?)\s*\([^)]*#{NATURAL_KEY}:\s*[^)]*#{NATURAL_KEY_VALUE}/
+    DESTRUCTIVE_EXTERNAL_ID_LOOKUP = /\b#{MODEL_CHAIN}\.where\s*\([^)]*(?:\bid\b|[a-z_]+_id):[^)]*(?:#{EXTERNAL_SOURCE}|#{RISKY_ID_VARIABLE})[^)]*\).*\.#{DESTRUCTIVE_METHOD}/
+    DESTRUCTIVE_EXTERNAL_LOOKUP = /\b#{MODEL_CHAIN}\.where\s*\([^)]*(?:#{EXTERNAL_SOURCE}|#{RISKY_ID_VARIABLE})[^)]*\).*\.#{DESTRUCTIVE_METHOD}/
+    DRAFT_COURSE_SCOPE = /\bCourse\.(?:draft|closed|where\s*\([^)]*state:\s*[^)]*(?:draft|closed)|glopla_lms)\b/
+
+    Finding = Struct.new(:path, :line, :severity, :rule, :message, :source, keyword_init: true) do
+      def to_h
+        {
+          path: path,
+          line: line,
+          severity: severity,
+          rule: rule,
+          message: message,
+          source: source
+        }
+      end
+
+      def fail_at?(threshold)
+        Checker::SEVERITY_RANK.fetch(severity) >= Checker::SEVERITY_RANK.fetch(threshold)
+      end
+    end
+
+    class Whitelist
+      def self.load(root:, paths:)
+        config_paths = default_paths(root) + explicit_paths(root, paths)
+        entries = config_paths.flat_map { |path| entries_from(path) }
+
+        new(entries)
+      end
+
+      def self.default_paths(root)
+        DEFAULT_WHITELIST_FILES.map { |path| root.join(path) }.select(&:file?)
+      end
+
+      def self.explicit_paths(root, paths)
+        paths.map do |path|
+          candidate = Pathname.new(path)
+          absolute_path = candidate.absolute? ? candidate : root.join(candidate)
+          raise ArgumentError, "whitelist file does not exist: #{path}" unless absolute_path.file?
+
+          absolute_path
+        end
+      end
+
+      def self.entries_from(path)
+        config = YAML.safe_load(path.read, permitted_classes: [], aliases: false) || {}
+        entries = if config.is_a?(Array)
+                    config
+                  elsif config.is_a?(Hash)
+                    config.fetch('whitelist', config.fetch('allowlist', []))
+                  else
+                    raise ArgumentError, "whitelist file must contain a hash or array: #{path}"
+                  end
+
+        unless entries.is_a?(Array)
+          raise ArgumentError, "whitelist entries must be an array: #{path}"
+        end
+
+        entries.map { |entry| Entry.new(entry, path) }
+      rescue Psych::SyntaxError => e
+        raise ArgumentError, "invalid whitelist YAML: #{path}: #{e.message}"
+      end
+
+      def initialize(entries)
+        @entries = entries
+      end
+
+      def match?(finding)
+        @entries.any? { |entry| entry.match?(finding) }
+      end
+
+      class Entry
+        def initialize(config, path)
+          unless config.is_a?(Hash)
+            raise ArgumentError, "whitelist entry must be a hash: #{path}"
+          end
+
+          @path = value(config, 'path')
+          @rule = value(config, 'rule')
+          @severity = value(config, 'severity')
+          @line = value(config, 'line')
+          @source = value(config, 'source')
+          @reason = value(config, 'reason')
+        end
+
+        def match?(finding)
+          match_pattern?(@path, finding.path) &&
+            match_pattern?(@rule, finding.rule) &&
+            match_pattern?(@severity, finding.severity) &&
+            match_line?(finding.line) &&
+            match_source?(finding.source)
+        end
+
+        private
+
+        def value(config, key)
+          config[key] || config[key.to_sym]
+        end
+
+        def match_pattern?(expected, actual)
+          return true if expected.nil?
+
+          Array(expected).any? do |pattern|
+            pattern = pattern.to_s
+            actual == pattern || File.fnmatch?(pattern, actual)
+          end
+        end
+
+        def match_line?(actual)
+          return true if @line.nil?
+
+          Array(@line).map(&:to_i).include?(actual)
+        end
+
+        def match_source?(actual)
+          return true if @source.nil?
+
+          Array(@source).any? { |source| actual.include?(source.to_s) }
+        end
+      end
+    end
+
+    def initialize(paths: DEFAULT_PATHS, root: Dir.pwd, whitelist_paths: [])
+      @root = Pathname.new(root).expand_path
+      @paths = paths.empty? ? DEFAULT_PATHS : paths
+      @whitelist = Whitelist.load(root: @root, paths: whitelist_paths)
+    end
+
+    def findings
+      ruby_files.flat_map { |path| findings_for(path) }
+                .uniq { |finding| [finding.path, finding.line, finding.rule] }
+                .reject { |finding| whitelist.match?(finding) }
+                .sort_by { |finding| [finding.path, finding.line, finding.rule] }
+    end
+
+    private
+
+    attr_reader :root, :paths, :whitelist
+
+    def ruby_files
+      files = paths.flat_map do |path|
+        absolute_path = absolute(path)
+        if absolute_path.file?
+          [absolute_path]
+        elsif absolute_path.directory?
+          absolute_path.glob('**/*.rb')
+        else
+          []
+        end
+      end
+
+      files.uniq.sort.reject { |path| excluded?(relative(path)) }
+    end
+
+    def findings_for(path)
+      lines = path.readlines(chomp: false)
+      lines.each_with_index.flat_map do |line, index|
+        next [] unless interesting_line?(line)
+
+        context = context_around(lines, index)
+        forward_context = context_from(lines, index)
+        next [] if ignored?(context)
+
+        rules_for(relative(path), index + 1, line, context, forward_context)
+      end
+    rescue Encoding::InvalidByteSequenceError, Encoding::UndefinedConversionError => e
+      [
+        Finding.new(
+          path: relative(path),
+          line: 1,
+          severity: 'LOW',
+          rule: 'UNREADABLE_FILE',
+          message: "Could not read as UTF-8: #{e.class}",
+          source: ''
+        )
+      ]
+    end
+
+    def rules_for(path, line_number, line, context, forward_context)
+      current_line = normalize(line)
+      normalized = normalize(context)
+      normalized_forward = normalize(forward_context)
+      findings = []
+
+      if direct_find_from_external_input?(current_line, normalized_forward)
+        findings << build_finding(
+          path: path,
+          line: line_number,
+          severity: 'HIGH',
+          rule: 'GLOBAL_FIND_EXTERNAL_INPUT',
+          message: 'Class-level find/find_by uses params/input/args. Resolve from a tenant/user-scoped relation first.',
+          source: source_for(line, normalized)
+        )
+      end
+
+      if direct_find_from_id_variable?(current_line, normalized_forward)
+        findings << build_finding(
+          path: path,
+          line: line_number,
+          severity: 'MEDIUM',
+          rule: 'GLOBAL_FIND_ID_VARIABLE',
+          message: 'Class-level find uses a local *_id/id variable. Check that the variable was scoped before lookup.',
+          source: source_for(line, normalized)
+        )
+      end
+
+      if where_from_external_ids?(current_line, normalized_forward)
+        findings << build_finding(
+          path: path,
+          line: line_number,
+          severity: 'HIGH',
+          rule: 'GLOBAL_WHERE_EXTERNAL_IDS',
+          message: 'Class-level where(id: ...) uses external input. Intersect with the current tenant/user relation first.',
+          source: source_for(line, normalized)
+        )
+      end
+
+      if natural_key_lookup?(current_line, normalized_forward)
+        findings << build_finding(
+          path: path,
+          line: line_number,
+          severity: 'MEDIUM',
+          rule: 'GLOBAL_NATURAL_KEY_LOOKUP',
+          message: 'Class-level lookup by email/uid/issuer/code/etc. can cross tenant boundaries unless scoped.',
+          source: source_for(line, normalized)
+        )
+      end
+
+      if destructive_external_ids?(current_line, normalized)
+        findings << build_finding(
+          path: path,
+          line: line_number,
+          severity: 'HIGH',
+          rule: 'UNSCOPED_DESTRUCTIVE_IDS',
+          message: 'Destructive operation is driven by external/global IDs. Scope the target set before deleting/updating.',
+          source: source_for(line, normalized)
+        )
+      end
+
+      if without_tenant_boundary?(path, current_line)
+        findings << build_finding(
+          path: path,
+          line: line_number,
+          severity: 'LOW',
+          rule: 'WITHOUT_TENANT_BOUNDARY',
+          message: 'Boundary code disables tenant scoping. Verify that no cross-tenant data is returned to the caller.',
+          source: source_for(line, normalized)
+        )
+      end
+
+      if draft_course_exposure?(path, current_line)
+        findings << build_finding(
+          path: path,
+          line: line_number,
+          severity: 'MEDIUM',
+          rule: 'DRAFT_COURSE_EXPOSURE',
+          message: 'Draft/closed course scope appears in an external boundary. Verify user entitlement before returning it.',
+          source: source_for(line, normalized)
+        )
+      end
+
+      findings
+    end
+
+    def direct_find_from_external_input?(current_line, normalized)
+      return false unless current_line.match?(DIRECT_FIND_START)
+
+      normalized.match?(DIRECT_FIND_EXTERNAL_INPUT)
+    end
+
+    def direct_find_from_id_variable?(current_line, normalized)
+      return false unless current_line.match?(DIRECT_FIND_ID_START)
+
+      normalized.match?(DIRECT_FIND_ID_VARIABLE)
+    end
+
+    def where_from_external_ids?(current_line, normalized)
+      return false unless current_line.match?(WHERE_START) || current_line.match?(WHERE_CHAIN_START)
+
+      normalized.match?(WHERE_EXTERNAL_IDS)
+    end
+
+    def natural_key_lookup?(current_line, normalized)
+      return false unless current_line.match?(NATURAL_KEY_LOOKUP_START)
+
+      normalized.match?(NATURAL_KEY_LOOKUP)
+    end
+
+    def destructive_external_ids?(current_line, normalized)
+      return false unless current_line.match?(DESTRUCTIVE_METHOD)
+
+      normalized.match?(DESTRUCTIVE_EXTERNAL_ID_LOOKUP) ||
+        normalized.match?(DESTRUCTIVE_EXTERNAL_LOOKUP)
+    end
+
+    def without_tenant_boundary?(path, current_line)
+      boundary_path?(path) && current_line.include?('ActsAsTenant.without_tenant')
+    end
+
+    def draft_course_exposure?(path, current_line)
+      return false unless boundary_path?(path)
+      return false unless path.include?('/active_user/') || path.include?('/partner/') || path.include?('/api/') || path.include?('/graphql/')
+
+      current_line.match?(DRAFT_COURSE_SCOPE) ||
+        (current_line.include?('draft_or_published') && !current_line.include?('viewable'))
+    end
+
+    def interesting_line?(line)
+      stripped = line.strip
+      return false if stripped.empty? || stripped.start_with?('#')
+
+      stripped.match?(CONST_RECEIVER) ||
+        stripped.include?('ActsAsTenant.without_tenant') ||
+        stripped.match?(DESTRUCTIVE_METHOD) ||
+        stripped.include?('draft_or_published')
+    end
+
+    def ignored?(context)
+      context.match?(IGNORE_MARKER)
+    end
+
+    def boundary_path?(path)
+      path.start_with?('app/controllers/', 'app/graphql/', 'app/api/', 'app/forms/', 'app/services/')
+    end
+
+    def context_around(lines, index)
+      from = [index - 4, 0].max
+      to = [index + 4, lines.length - 1].min
+      lines[from..to].join
+    end
+
+    def context_from(lines, index)
+      to = [index + 4, lines.length - 1].min
+      lines[index..to].join
+    end
+
+    def normalize(source)
+      source.gsub(/#.*$/, '').gsub(/\s+/, ' ').gsub(/\s+\./, '.').strip
+    end
+
+    def source_for(line, normalized)
+      source = line.strip.empty? ? normalized : line.strip
+      source.gsub(/\s+/, ' ')[0, 220]
+    end
+
+    def build_finding(path:, line:, severity:, rule:, message:, source:)
+      Finding.new(
+        path: path,
+        line: line,
+        severity: severity,
+        rule: rule,
+        message: message,
+        source: source
+      )
+    end
+
+    def absolute(path)
+      candidate = Pathname.new(path)
+      candidate.absolute? ? candidate : root.join(candidate)
+    end
+
+    def relative(path)
+      path.expand_path.relative_path_from(root).to_s
+    rescue ArgumentError
+      path.to_s
+    end
+
+    def excluded?(relative_path)
+      DEFAULT_EXCLUDE_PATTERNS.any? { |pattern| relative_path.match?(pattern) }
+    end
+  end
+
+  class Cli
+    DEFAULT_FORMAT = 'text'
+    DEFAULT_FAIL_LEVEL = 'LOW'
+
+    def self.run(argv = ARGV, out: $stdout, err: $stderr)
+      options = {
+        format: DEFAULT_FORMAT,
+        fail_level: DEFAULT_FAIL_LEVEL,
+        root: Dir.pwd,
+        whitelist_paths: []
+      }
+
+      parser = OptionParser.new do |opts|
+        opts.banner = 'Usage: activerecord-safer-lookup-query [options] [paths...]'
+        opts.separator ''
+        opts.separator 'Detect class-level ActiveRecord lookups that may bypass tenant/user scopes.'
+        opts.separator ''
+        opts.on('--root PATH', 'Target repository root. Default: current directory') { |value| options[:root] = value }
+        opts.on('--format FORMAT', 'text or json') { |value| options[:format] = value }
+        opts.on('--fail-level LEVEL', 'LOW, MEDIUM, or HIGH. Default: LOW') { |value| options[:fail_level] = value.upcase }
+        opts.on('--whitelist PATH', 'YAML whitelist file. Can be used multiple times') { |value| options[:whitelist_paths] << value }
+        opts.on('-h', '--help', 'Show this help') do
+          out.puts opts
+          return 0
+        end
+      end
+
+      paths = parser.parse(argv)
+      validate_options!(options)
+
+      findings = Checker.new(paths: paths, root: options[:root], whitelist_paths: options[:whitelist_paths]).findings
+      emit(findings, options, out)
+
+      findings.any? { |finding| finding.fail_at?(options[:fail_level]) } ? 1 : 0
+    rescue OptionParser::ParseError, ArgumentError => e
+      err.puts "[activerecord-safer-lookup-query] #{e.message}"
+      err.puts parser
+      2
+    end
+
+    def self.validate_options!(options)
+      unless %w[text json].include?(options[:format])
+        raise ArgumentError, "--format must be text or json: #{options[:format]}"
+      end
+
+      unless Checker::SEVERITY_RANK.key?(options[:fail_level])
+        raise ArgumentError, "--fail-level must be LOW, MEDIUM, or HIGH: #{options[:fail_level]}"
+      end
+    end
+
+    def self.emit(findings, options, out)
+      if options[:format] == 'json'
+        out.puts JSON.pretty_generate(findings.map(&:to_h))
+        return
+      end
+
+      if findings.empty?
+        out.puts '[activerecord-safer-lookup-query] no findings'
+        return
+      end
+
+      out.puts "[activerecord-safer-lookup-query] #{findings.size} findings"
+      findings.each do |finding|
+        out.puts "#{finding.path}:#{finding.line}: #{finding.severity} #{finding.rule}: #{finding.message}"
+        out.puts "  #{finding.source}" unless finding.source.empty?
+      end
+    end
+  end
+end

data/lib/active_record_safer_lookup_query/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ActiveRecordSaferLookupQuery
+  VERSION = '0.1.0'
+end

data/lib/active_record_safer_lookup_query.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require_relative 'active_record_safer_lookup_query/checker'
+require_relative 'active_record_safer_lookup_query/version'

metadata

@@ -0,0 +1,74 @@
+--- !ruby/object:Gem::Specification
+name: activerecord-safer-lookup-query
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- developer
+bindir: exe
+cert_chain: []
+date: 2026-06-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+description: Audits Rails code for class-level ActiveRecord lookups that may bypass
+  tenant, organization, or user scopes.
+email: []
+executables:
+- activerecord-safer-lookup-query
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- exe/activerecord-safer-lookup-query
+- lib/active_record_safer_lookup_query.rb
+- lib/active_record_safer_lookup_query/checker.rb
+- lib/active_record_safer_lookup_query/version.rb
+licenses:
+- MIT
+metadata: {}
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.1'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.2
+specification_version: 4
+summary: Static checker for risky class-level ActiveRecord lookups
+test_files: []